On Wed, 29 Oct 2003 at 02:59:17PM -0500, Michael Bordignon wrote: > I have chkrootkit running nightly and mailing results to me - last night it > reported this: > > Checking `lkm'... You have 1 process hidden for readdir command > You have 1 process hidden for ps command > Warning: Possible LKM Trojan installed > Checking `sniffer'... > PROMISC mode detected in one of these interfaces: eth0 eth1 > > I have no idea how to proceed further, could someone suggest the steps I > should take now?
I think there is a race condition that was discussed before about rootkit checkers. First it reads in data from the PS command. It then stores this data in a buffer. Then it reads /proc (or visa-versa, I forget the order). It then compares the two places. If a new process should happen to start between these two reads it will generate this message. Now, I am not saying there is *NOT* a security problem with your machine. AFA the PROMISC mode one the NICs...are you running snort or something to the like? If so, these NIDs (Network Intrusion Detectors) place cards in PROMISC mode to watch traffic. Just a few things to be aware of... -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #47: Cosmic ray particles crashed through the hard disk platter
